RSA Conference: Doing greater analysis from sinkholed data

News by Dan Raywood

Dell SecureWorks has announced plans to enhance its sinkholing of botnets by doing further drill downs into the data, and encouraged others to do likewise.

Dell SecureWorks has announced plans to enhance its sinkholing of botnets by doing further drill downs into the data, and encouraged others to do likewise.

According to Dell SecureWorks counter threat unit (CTU) report issued last week, sinkholing gives researchers a unique perspective on past, present and future attacks, as it allows it to re-animate infected systems that have been inactive for months and find victims who have remained infected despite ever improving anti-virus protections.

It said: “Simply knowing someone is infected doesn't give any context to understanding what malware was used against the victim and attributing that data to the actors behind the infection. This context can be obtained by doing deeper analysis on the sinkhole traffic, and we can start to understand the ‘what and why' behind these victims.

“By being able to link the infected victims to the unique malware that was used, we can use that intelligence to correlate back to a larger picture of the groups behind the attack.” 

Speaking to SC Magazine Dell SecureWorks CTU director of malware research Joe Stewart and security researcher Silas Cutler, said that they have proved that they can do sinkholing, but the next stage is to try and find the victim, clean them up and use that to do enquiries into what the victim was running  and identify new malware families.

Cutler said: “We will do a test of the data we collect and do analysis with a new tool we are introducing to identify who the victim is, and especially when you drill down to get the granular details, doing this will help identify if they are part of a campaign.

“Once you have identified them you can find out who is still infected and help them get cleaned up and do insight into them.”

SecureWorks was quick to point out that rather than being customers, the victims were members of the botnet that it had taken control of after it reached out to a government, university or a contractor to notify them and work with them.

Stewart said: “We will go through a pool of data and make it workable to go through the history to evaluate what has been done. One could be new variants or modified versions that open the door to new malware such as Poison Ivy and things of that nature.”

Cutler said: “Some malware can be two years old and undetected, just look at Stuxnet, there are small levels of protection in companies. These are more designed for remote code execution.”

Stewart said: “Even though they are huge, they are difficult to track due to their sheer size and with Zeus and Citadel, they went into the host. These are tricking networks with one objective. They use the tools to download other malware, so on one hand you had targeted victims and on the other, you have hundreds of individual victims.”

Stewart said he wrote a tool to do this granular deep drill, which Cutler told SC he plans to release in an open-source format for others to use. “This can provide a daily report and show the top infectors. All sharing data helps us win. We want to get to the people who are infected and know about it to get themselves secure,” he said.

Presenting at last week's RSA Conference in San Francisco on 'advanced malware sinkholing,' Cutler and Stewart said that it was more about gaining intelligence and what it can learn so it can put together the 'who and what' of malware campaigns.

Stewart said: “The question is how to get access to the botnet, the most common is the legal route of taking a domain from an attacker. Also, by sending a domain to a third party it allows researchers to take over a botnet with the permission of the registrar, so you go through an expiration period and it can take months to go through. Then you see the traffic and often see victims phoning home.

“Often with sinkholing you know what you are looking for, so don't do in-depth data analysis. Often we see hundreds of families of malware and don't want to set up a sinkhole for each domain as maybe it is not speaking to the HTTP protocol, so we figure out a way to see when a request is being made.”

Stewart said that going forward, the CTU wanted to see more people getting involved in this, and he encouraged people to submit data, as he wanted to see people sharing data to do this work.

Cutler said: “This is a daily task and it is challenging, but the data we're getting makes up for the risks.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews